Critical WordPress Plugin Flaw Allows Unauthenticated Admin Account Creation A severe security vulnerability (CVE-2026-1492) has been discovered in the User Registration & Membership WordPress plugin, enabling unauthenticated attackers to bypass security controls and create administrator accounts. The flaw, rated 9.8 (critical) on the CVSS scale, stems from improper privilege management, allowing attackers to specify any user role including administrator during registration without server-side validation. The plugin, used for custom registration forms and user profile management, is affected in versions up to and including 5.1.2. Exploitation grants attackers full control over compromised sites, enabling data theft, content manipulation, or backdoor installation. Security firm Wordfence has detected 74 active exploitation attempts in the past 24 hours. Researcher Foxyyy identified the vulnerability, which was disclosed on March 2, 2026, with an updated advisory on March 3. The vendor released a patch (version 5.1.3) that restricts role assignment during registration, preventing privilege escalation. However, the plugin has a history of security issues, including a separate authentication bypass flaw (CVE-2026-1779) in the same version. Administrators are advised to update immediately and audit existing accounts for unauthorized administrators. Monitoring registration endpoints for suspicious role requests is also recommended, as the flaw does not require prior authentication, leaving unpatched sites highly exposed.